We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Privacy regulations affect internet and social media businesses

New business models are being created by the popularity of text-messaging, social-networking and location-aware services, and the increasing integration of these services into smartphone and tablet applications, internet “virtual worlds” and games, as well as shopping and coupon sites. These technologies provide new ways to reach consumers through personal contacts, the places (real or virtual) that they visit and by way of communication channels previously not widely used for commercial purposes. These technologies are in high demand and offer businesses effective ways to reach their target audience.

Entrepreneurs, as well as private equity and venture capital groups have taken notice. Businesses creating new web solutions or smartphone applications that implement social networking and emerging communication methods are being formed and funded in great numbers. Consolidation of this industry will likely increase rapidly over the next decade.

All these new services pose rapidly evolving privacy and safety concerns. Chief among them is the protection of children’s privacy, and there is momentum to expand that protection for children, and bring it to other consumers, as well.

Any company or business providing these services should be aware of developments in applicable federal regulation and perform appropriate diligence to evaluate the business’s compliance. These regulations have detailed requirements, and carefully-crafted exceptions may be applicable to the particular technology implementation of some businesses.

Collecting and Using Personal Information

Currently, the Children’s Online Privacy Protection Act (COPPA) is one of the most restrictive privacy-protection regulations. It addresses the collection and use of personally identifiable information about children 12 and under. However, the Federal Trade Commission has released a proposed privacy framework that would expand privacy protections to everyone, and on September 15, 2011, the FTC released some proposed changes to COPPA. They include the proposed expansion of the definition of “personal information” to include IP addresses, customer numbers held in cookies, and geolocation information.

COPPA currently applies to a broad range of websites and uses of collected information, and to any site determined to be directed at children under 13. The FTC may consider a website that includes advertisements directed at children or that has animated characters to be a website “directed at children” for purposes of COPPA. Other factors include empirical evidence of the site’s audience. Generally, COPPA requires that operators of websites directed at children post a privacy policy describing practices regarding children’s personal information, provide direct notice to parents and obtain verifiable parental consent, and also allow parents to give a kind of limited consent and review any collected information about their child.

This year, the FTC announced a $3 million civil penalty to settle an enforcement action against Playdom, Inc., an operator of a number of online “virtual worlds.” The company was charged with collecting and disclosing children’s personal information without parental consent.

Playdom is an example of consolidation in the industry. It became a subsidiary of Disney Enterprises, Inc., itself a subsidiary of The Walt Disney Company in 2010. Operators of similar business should take notice and are well-advised to evaluate their practices for compliance. Acquirers of or investors in companies with websites that may be directed at children should request detailed COPPA-compliance procedures, as well as indemnifications for COPPA violations. Acquirers should also either implement strategies to maintain COPPA compliance after the acquisition or retain key management to ensure it. Companies operating such websites should also consider engaging experts or one of the organizations approved as COPPA “safe-harbors.”

Communicating with Consumers

Federal regulations also apply when contacting existing and potential customers. The Telephone Consumer Protection Act (TCPA) imposes certain restrictions on the use of telephone equipment, among them prohibitions applicable to calls made to wireless devices. Under TCPA, it is unlawful to make any call (other than a call made with the prior express consent of the called party) using any automatic telephone dialing system or pre-recorded voice to any telephone number assigned to a cellular telephone service.

Note there is no requirement that the call be a commercial or telemarketing call in order to trigger regulation under the statute. Rather, the statute prohibits any such calls to cell phones without the recipient’s consent.

Several courts have accepted an interpretation of a “call” under TCPA to include a text message, citing FCC comments. These courts have also broadly interpreted “automatic telephone dialing system” to include any system which has even the capacity to make random calls. Therefore, a business that plans to implement automatic text messaging as part of, for example, a new smart-phone application or website should consider the applicability of TCPA to its service and, if necessary, obtain prior express consent from the recipient.

Currently, written consent is required under TCPA only for text message recipients on the national “Do-Not-Call” list. In January 2010, the Federal Communications Commission (the agency that enforces TCPA) issued a Notice of Proposed Rulemaking that, if adopted, would require prior written consent regardless of the recipient’s DNC list status.

In addition to the potential for federal enforcement, a private right of action is provided under TCPA, and a number of class action lawsuits have been filed against companies alleged to be engaging in messaging in violation of TCPA. Acquirers or investors in companies potentially engaging in such practices should investigate both TCPA compliance and any pending litigation against the target.

Recorded audio messages are also subject to federal regulation, and the Telemarketing Sales Rule (TSR) specifically regulates telemarketing calls. Telemarketers are no longer permitted to call a consumer based solely on an existing business relationship. The TSR also prohibits telemarketing calls that deliver a pre-recorded message unless the seller has obtained from the recipient of the call an express, written agreement. “Telemarketing” is defined as “a plan, program or campaigns which is conducted to induce the purchase of goods or services.”

The FTC has said that the TSR does not apply to strictly informational calls (such as those from an airline notifying consumers about a cancelled flight). The FTC staff concluded in one case that a proposed message announcing temporary free access to a subscription service, when followed by other communications delivered via other channels that would provide consumers with purchase information, was not purely informational and therefore within the TSR definition of telemarketing. The FTC’s comments indicate that the informational exception to the pre-recorded call prohibition call must provide information related to a good or service purchased in a prior transaction and may not contain language intended to induce additional purchases.

For purposes of TCPA and the TSR, where written consent is required, companies can obtain consent via the methods described in the Electronic Signatures in Global and National Commerce Act (E-SIGN). E-SIGN includes email. The TSR imposes certain requirements on such agreements.

Existing regulations affect the business practices of a host of emerging businesses, but often these regulations are not considered carefully when getting a new venture off the ground. Becoming informed at the outset about applicable regulations and ensuring compliance will help to reduce liabilities, prevent distraction from the core mission of the business and, if and when future investors or buyers enter the picture, avoid raising a red-flag.

The restrictions may represent as much opportunity as they do limitation. Applications that can demonstrate compliance with these regulations should see more demand for their products’ capabilities.

Compare jurisdictions:Data Security & Cybercrime

“As in house counsel for a medium sized NZ group of companies, I find the newsfeeds very useful as they keep me up-to-date with the latest legal info in areas I have subscribed for. The quality is very good and I would not hesitate to recommend to colleagues.”